Ask a Kiwi IT manager whether their Microsoft 365 data is backed up, and you will usually get a confident “yes”. Ask them to point at the backup, and the room goes quiet. That gap is the single biggest data-protection risk facing New Zealand businesses in 2026, and it is the reason Microsoft 365 backup NZ has shot up the boardroom agenda this year.
Microsoft keeps the lights on for Exchange Online, SharePoint, OneDrive and Teams. What it does not do is treat your data the way a backup product would. There is no point-in-time recovery, no long-term retention by default, no protection against a malicious admin, and — until very recently — no Kiwi data-residency option at all. The Privacy Act 2020, NZISM (New Zealand Information Security Manual) and the Office of the Privacy Commissioner all expect you to be able to restore personal information after a breach. Microsoft’s native retention quietly assumes you can.
This guide covers the shared responsibility model, the retention gaps that bite NZ organisations, Privacy Act recovery scenarios, an honest cost comparison between Microsoft 365 Backup and third-party services, and how Veeam Data Cloud in the Azure NZ North region changes the data-sovereignty conversation.
The Microsoft 365 Shared Responsibility Model, in Plain English
Microsoft is responsible for keeping the service up. You are responsible for the data inside it. That is the M365 shared responsibility model in one sentence, but the implications take most NZ IT teams by surprise.
Microsoft’s own documentation and partners like Veeam describe it the same way. Microsoft handles physical data-centre security, the 99.9% uptime SLA, infrastructure redundancy and platform patching.
You are on the hook for:
- The data itself — emails, files, Teams chats, SharePoint sites, OneDrive
- User and admin error (the most common cause of data loss)
- Internal threats and rogue admins
- Ransomware and external attacks that reach into your tenant
- Long-term retention beyond Microsoft’s default windows
- Recovery in a usable timeframe — including for Privacy Act 2020 breach investigations
Industry surveys consistently show fewer than half of IT pros can confidently recover a deleted SharePoint site, OneDrive folder or Teams channel once the native retention window has lapsed. That is a Privacy Act problem waiting to happen.
Native M365 Retention: The Numbers Most People Get Wrong
Microsoft 365 has retention. It does not have backup. Here is what the platform actually keeps, by default:
| Workload | Default Retention | What Happens After |
|---|---|---|
| Exchange Online (deleted items) | 14 days (max 30) | Permanent purge |
| Exchange Online (deleted mailbox) | 30 days | Permanent purge |
| SharePoint Online (Recycle Bin) | 93 days (1st + 2nd stage) | Permanent purge |
| OneDrive (Recycle Bin) | 93 days | Permanent purge |
| OneDrive (deleted user account) | 30 days default, 93 days max | Permanent purge |
| Teams chats | 30 days (without retention policy) | Permanent purge |
| SharePoint version history | Up to 500 versions, no time limit | Replaced as versions roll off |
The cliff is steeper than it looks. According to Microsoft Learn, once the OneDrive retention window for a deleted user expires, files are purged permanently. If a staffer left six months ago, their OneDrive is gone — including client records, contracts, or personal information you were obliged to retain under section 22 of the Privacy Act 2020.
Retention labels and Purview policies extend these windows, but they are not backups. They protect against deletion; they do not protect against ransomware that encrypts files in place, admins who change retention settings, or accidental overwrites where every saved version is corrupted.
Five Recovery Scenarios That Trip Up NZ Organisations
Five scenarios we have seen play out in NZ councils, schools, and SMBs over the last twelve months.
1. The departed-employee subject access request
A former employee files an Information Privacy Request under IPP 6, asking for everything the organisation holds about them. The request lands seven months after they left. Their OneDrive was purged 93 days after their account was disabled; their Teams 1:1 chats are gone. The agency cannot honour the request — and is potentially looking at a complaint to the Office of the Privacy Commissioner.
2. The ransomware-encrypted SharePoint site
An attacker compromises a finance manager’s account via session-token theft, then uses delegated rights to encrypt files across three SharePoint sites. Version history is intact — but every version is encrypted because the malware overwrote them in turn. Native point-in-time restore on a whole site is not a feature Microsoft offers.
3. The misconfigured Teams retention policy
An admin sets a Purview retention policy to “delete content older than 1 year” for Teams chats, intending it for a single team. Scope mistake — it applies tenant-wide. Three weeks later, every Teams conversation older than 12 months has been permanently deleted, including evidence relevant to an employment dispute.
4. The deleted-then-recreated user
Payroll deletes a user, then three months later recreates an account with the same UPN for someone else. The original mailbox and OneDrive are gone — soft-delete recovery is 30 days — and the new account starts empty. If that data was needed for a Privacy Act request or a CERT NZ incident enquiry, recovery is impossible without an external backup.
5. The Privacy Act notifiable breach investigation
Under section 114 of the Privacy Act 2020, organisations must notify the Privacy Commissioner of any breach causing serious harm “as soon as practicable” — guidance suggests 72 hours. You need to know what was compromised, whose data was affected, and when. Without point-in-time backups going back 12 months, you are guessing — and the Commissioner can fine non-compliant organisations up to NZD 10,000 per offence, with much larger civil penalties on the way.
Microsoft 365 Backup vs Third-Party: What You Actually Get
Microsoft launched its first-party Microsoft 365 Backup in 2024. It covers Exchange, SharePoint and OneDrive (Teams chat excluded) as a consumption service tied to your Azure subscription.
Here is how the four main options compare on the capabilities that matter for Privacy Act compliance and operational resilience:
| Option | Teams chat covered | Point-in-time restore | Immutability | NZ data residency | Managed by Kiwi engineers |
|---|---|---|---|---|---|
| Native M365 retention | ✗ | ✗ | ✗ | ✓ (tenant-bound) | ✗ |
| Microsoft 365 Backup | ✗ | ✓ (limited) | ✗ | ✓ (tenant-bound) | ✗ |
| Veeam Data Cloud (Azure NZ North) | ✓ | ✓ | ✓ | ✓ (NZ-resident) | ✗ |
| ASI Veeam BaaS (managed in NZ) | ✓ | ✓ | ✓ | ✓ (NZ-resident) | ✓ |
The critical gap in both native retention and Microsoft 365 Backup is sovereignty isolation. Backups land in storage tied to your tenant — if your tenant is compromised, your backups are inside the blast radius. Veeam Data Cloud and managed offerings like third party backup Microsoft 365 NZ from ASI Solutions keep a logically separate, immutable copy outside the tenant boundary. That is what every NZISM-aligned environment expects.
The chart below shows how far back you can recover under each option — a key compliance question for Privacy Act subject access requests and breach investigations.
Why Azure NZ North Changed the Conversation in 2024
Until late 2024, Kiwi organisations buying third-party M365 backup faced an awkward trade-off: accept offshore data storage, or invest in on-premises kit. Microsoft opening the Azure NZ North region in Auckland — and Veeam launching Veeam Data Cloud onto it in September 2024 — closed that gap.
For the first time, you can hold a full point-in-time, immutable backup of your M365 tenant on New Zealand soil, in a Kiwi-jurisdiction Azure region. That answers the sovereignty questions councils, ministries, schools and government agencies now expect under NZISM and GCDO cloud guidance.
Veeam’s NZ launch noted the platform was already protecting more than 96,000 users globally. Pairing Veeam with locally-hosted object storage like ASI’s InfiniStor ($5/TB/month for cold storage, up to 19 nines durability) gives you a second immutable copy outside Azure entirely. That is 3-2-1-1-0 done properly: three copies, two media, one offsite, one immutable, zero recovery errors.
How to Get Started: A Practical Roadmap for NZ IT Teams
You do not need to rip and replace anything. The pragmatic path is:
1. Audit what you actually have. Run through the retention table above and document the gaps in plain English for your CIO or board.
2. Map the Privacy Act exposure. For each workload, ask: if a subject access request landed today for 7 years of records, could we honour it? If not, you have a compliance gap.
3. Set recovery objectives. RPO and RTO drive the architecture. For most NZ SMBs and councils, daily backups with item-level restore inside 4 hours is the right target.
4. Choose the backup model. Self-managed Veeam, Veeam Data Cloud (SaaS in Azure NZ North), or fully managed BaaS through a Kiwi MSP. The right answer depends on your in-house capacity.
5. Test restores quarterly. A backup you have never restored is a hope, not a plan.
If steps 4 and 5 sound like work you do not have time for, that is where managed BaaS earns its keep. Book a meeting and we will walk through your tenant, the Privacy Act exposure, and a clear path to a backup architecture that works when you need it. ASI has been doing this for Kiwi organisations since 1985, our engineers are based here, and our 15-minute SLA on Severity 1 tickets is real.